UK Data Privacy Laws in a Post-Brexit World

Tuesday, June 28, 2016

Following the United Kingdom’s nonbinding vote to leave the European Union (“Brexit”), what do businesses need to consider for data privacy compliance?

Being part of the European Union has meant that UK businesses are subject to numerous data protection laws. The United Kingdom has enacted most of its data protection laws, such as the Data Protection Act 1998 (DPA) and the Privacy and Electronic Communications Regulations 2003, to implement European directives. Additionally, businesses in the United Kingdom are also directly subject to European regulations, such as the Data Breach Notification Regulations 2013, the Clinical Trials Regulations 2014, and the European Commission (the Commission) decisions regarding transfers of personal data outside the European Union as these apply across it without the need for the UK government to pass domestic legislation. Finally, the European Parliament has reached a final agreement on the new General Data Protection Regulation (GDPR). The GDPR will take effect in May 2018 and will apply directly to any business that provides goods or services in Europe or that has European operations. This will include any business within the European Union as well as those outside it.

Following the referendum decision to leave the European Union, many are wondering what Brexit will mean for UK businesses. When the new prime minister elects to invoke Article 50 of the Lisbon Treaty, triggering an exit from the European Union, trade negotiations will commence to secure the United Kingdom’s ability to trade with the remainder of the European Union as a single market.

UK Businesses

Existing domestic legislation would remain in effect unless and until the government changes it. This means that businesses in the United Kingdom would continue to be subject to the Data Protection Act 1998. The Information Commissioner’s Office (ICO) would remain as the data protection authority with regulatory powers to conduct investigations into breaches of the DPA and issue penalties for noncompliance. Businesses based only in the United Kingdom would not be subject to European data protection legislation, such as the above listed regulations, which have direct effect in Europe or to Commission decisions on, for example, cross-border data transfers (see below). The ICO has announced that UK data protection standards will need to be equivalent to those in the GDPR if the United Kingdom wants to trade with the European single market post-Brexit.

To date, the UK courts and the ICO have adopted a relatively pro-business approach, in contrast to some of the United Kingdom’s continental cousins. For example, the concept of consent has been strictly interpreted throughout the continent, but in the United Kingdom, “deemed consent” is valid, except in relation to sensitive personal data.

Data security is becoming increasingly important for businesses. Similarly, privacy is becoming increasingly important for individuals globally. Therefore, it seems unlikely that any government would wish to repeal the DPA and pass weaker data protection laws in the United Kingdom, thereby undermining consumer confidence in UK businesses and potentially exposing them to increased data security breaches.

European Businesses

UK businesses with European operations or that otherwise have servers in Europe or that engage processors in Europe will continue to be subject to the data protection laws of those European countries in relation to the European aspects of their business. Additionally, any UK business that offers goods or services to European consumers or that has a website that is accessible in Europe will need to comply with the GDPR and the relevant European laws implementing the Privacy and Electronic Communications Directive in the country where the users are based.

Cross-Border Transfers

Most UK businesses will almost certainly need to transfer personal data to Europe and other countries outside the European Union, such as the United States. Currently, while the United Kingdom remains part of the European Union, there are restrictions against transferring personal data outside it without consent from the individual, other than to certain “adequate” countries (such as Canada or Switzerland), or unless the business has in place a legally permissible mechanism (such as model clauses or binding corporate rules). If the United Kingdom leaves Europe, the UK government will need to decide if it will retain the same restrictions for cross-border transfers or adopt an alternative solution. If the proposed EU-US Privacy Shield is enacted, the United Kingdom will need to decide if it will adopt a similar model for data transfers from the United Kingdom to the United States if the current restriction on such data transfers is retained.

Additionally, the United Kingdom is likely to apply to the Commission for a decision of “adequacy,” which allows European countries to transfer personal data to the United Kingdom. This will, of course, depend on whether the government has passed laws that differ from the current DPA and whether the Commission views the standard of “adequacy” as having been raised after the GDPR becomes effective, which seems likely. In such an event, in 2018 post-Brexit, the United Kingdom, like other currently “adequate” countries, will need to apply for adequacy status with the Commission.

Data Breaches

The DPA does not have a mandatory data breach reporting obligation. The GDPR, however, does include a mandatory obligation to notify the data protection authority within 72 hours of becoming aware of a breach and without undue delay and, in certain circumstances, the individuals affected by the breach. The government will, therefore, need to decide if it will pass a data breach notification law, either similar to the strict GDPR requirement or one adapted to an approach of pro-business legal requirements.

Conclusion

Although the United Kingdom was one of the dissenting voices in negotiations about the GDPR and was particularly vocal about the onerous effect on UK businesses, it seems unlikely that the United Kingdom will reduce the extent of data protection obligations on UK businesses. To do so would necessarily reduce the current level of data privacy protections afforded to individuals. It will be interesting to see how cross-border issues such as data transfers and data breach notification requirements will apply post-Brexit. The United Kingdom is unlikely to want to be seen as being out-of-step with the rest of Europe, which will, to a large extent, remain the biggest UK trading partner. The potential alternatives are that the United Kingdom becomes a member of the European Economic Area, such as Norway or Iceland, which would enact many laws similar to European laws, or that it becomes a separate member of the single market, such as Switzerland. Both alternatives mean that the United Kingdom will need to amend the DPA or pass new laws similar to the GDPR.

Pulina Whitaker’s practice encompasses both labor and employment matters as well as data privacy and cybersecurity. She manages employment and data privacy issues in sales and acquisitions, commercial outsourcings, and restructurings. Pulina provides day-to-day advisory support for multinationals on all employment issues, including the UK’s Modern Slavery Act and gender pay reporting requirements. She also advises on the full spectrum of data privacy issues, including preparing for the General Data Protection Regulation. Pulina has deep experience managing international...

As practice group leader for Morgan Lewis’s labor and employment practice in London, Matthew Howse represents clients in the financial services, media, legal, and insurance industries in High Court and employment tribunal litigation. His experience includes employment law as well as privacy and cybersecurity law. In addition to litigating both contentious and noncontentious issues, Matthew provides strategic employment law advice and counsels clients on the employment law aspects of transactions.

Mark L. Krotoski represents and advises clients on antitrust cartel investigations; cybersecurity and privacy matters; trade secret, economic espionage, fraud, and foreign corrupt practices cases; and government investigations. With nearly 20 years of experience as a federal prosecutor and a leader in the US Department of Justice (DOJ), Mark provides clients with a unique blend of litigation and investigative experience. He has tried 20 cases to verdict and successfully argued appeals before the US Court of Appeals for the Ninth and Sixth Circuits.

Gregory T. Parks counsels and defends retail companies and other consumer facing clients in matters related to privacy and cybersecurity, class actions and Attorney General actions, consumer protection laws, loyalty and gift card programs, retail operations, payment mechanisms, product liability, waste management, shoplifting prevention, compliance, antitrust, and commercial disputes. If it is important to a retail company, Greg makes it his business to know it. He handles all phases of litigation, trial, and appeal work arising from these and other areas. Greg is the co...

Legal Disclaimer

You are responsible for reading, understanding and agreeing to the National Law Review's (NLR’s) and the National Law Forum LLC's Terms of Use and Privacy Policy before using the National Law Review website. The National Law Review is a free to use, no-log in database of legal and business articles. The content and links on www.NatLawReview.com are intended for general information purposes only. Any legal analysis, legislative updates or other content and links should not be construed as legal or professional advice or a substitute for such advice. No attorney-client or confidential relationship is formed by the transmission of information between you and the National Law Review website or any of the law firms, attorneys or other professionals or organizations who include content on the National Law Review website. If you require legal or professional advice, kindly contact an attorney or other suitable professional advisor.

Some states have laws and ethical rules regarding solicitation and advertisement practices by attorneys and/or other professionals. The National Law Review is not a law firm nor is www.NatLawReview.com intended to be a referral service for attorneys and/or other professionals. The NLR does not wish, nor does it intend, to solicit the business of anyone or to refer anyone to an attorney or other professional. NLR does not answer legal questions nor will we refer you to an attorney or other professional if you request such information from us.

Under certain state laws the following statements may be required on this website and we have included them in order to be in full compliance with these rules. The choice of a lawyer or other professional is an important decision and should not be based solely upon advertisements. Attorney Advertising Notice: Prior results do not guarantee a similar outcome. Statement in compliance with Texas Rules of Professional Conduct. Unless otherwise noted, attorneys are not certified by the Texas Board of Legal Specialization, nor can NLR attest to the accuracy of any notation of Legal Specialization or other Professional Credentials.

The National Law Review - National Law Forum LLC 4700 Gilbert Ave. Suite 47 #230 Western Springs, IL 60558 Telephone (708) 357-3317 If you would ike to contact us via email please click here.